Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

I got an email a couple of days ago from Jan-Marten Spit and Jasper Spit to let me know the details of why they pulled version 1.1.7 of OPR from sourceforge and worked to fix a security hole. The new version 1.1.8 fixes the problem that was highlighted in the post I made about installing 1.1.7 made by Mike Thomas. I won't go into great detail but basically with 1.1.7 it was possible for a user in certain circumstances to create a malicious version of the Oracle client library and using that take control of the account that owned and was running OPR. Version 1.1.8 now checks the location of the ORACLE_HOME and loads the library based from this. It gets the location from the oratab file so OPR is now a little less environment tolerant (but safer). Also OPR now only loads up the Oracle libs if the user running it is the repository owner. Version 1.1.8 also solves the issue with LD_ environment variables for dynamic library loading.

If you use OPR then please get over to the OPR home page sourceforge and download it. If you do not use OPR then you could also get over there and consider its use for managing your Oracle passwords to help prevent password leakage on the command line.

PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database,
design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.